commit d31a849ff5011dad5c271b53819a0b279e367d68
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Mon May 11 08:20:52 2026 +0200

    Linux 6.18.29
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c
Author: Hyunwoo Kim <imv4bel@gmail.com>
Date:   Fri May 8 17:53:09 2026 +0900

    rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
    
    commit aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 upstream.
    
    The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
    handler in rxrpc_verify_response() copy the skb to a linear one before
    calling into the security ops only when skb_cloned() is true.  An skb
    that is not cloned but still carries externally-owned paged fragments
    (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
    __ip_append_data, or a chained skb_has_frag_list()) falls through to
    the in-place decryption path, which binds the frag pages directly into
    the AEAD/skcipher SGL via skb_to_sgvec().
    
    Extend the gate to also unshare when skb_has_frag_list() or
    skb_has_shared_frag() is true.  This catches the splice-loopback vector
    and other externally-shared frag sources while preserving the
    zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
    page_pool RX, GRO).  The OOM/trace handling already in place is reused.
    
    Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
    Cc: stable@vger.kernel.org
    Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
    Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
    Acked-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>